[U-Boot] [RFC 00/15] efi_loader: add secure boot support

AKASHI Takahiro takahiro.akashi at linaro.org
Wed Sep 18 01:26:28 UTC 2019 

One of major missing features in current UEFI implementation is "secure boot."
The ultimate goal of my attempt is to implement image authentication based
on signature and provide UEFI secure boot support which would be fully
compliant with UEFI specification, section 32[1].
(The code was originally developed by Patrick Wildt.)

While this patch/RFC is still rough-edged, the aim here is to get early
feedbacks from the community as the patch is quite huge (in total) and also
as it's a security enhancement.

Please note, however, this patch doesn't work on its own; there are
a couple of functional dependencies[2], [3] and [4], that I have submitted
before, in addition to related preparatory patches[5], [6], [7] and [8] for
pytest support. For complete workable patch set, see my repository[9],
which also contains exeperimental timestamp-based revocation suuport.

My "non-volatile" support[10], which is under reviews now, is not mandatory
and so not included here, but this inevitably implies that, for example,
signature database variables, like db and dbx, won't be persistent unless you
explicitly run "env save" command and that UEFI variables are not separated
from U-Boot environment. Anyhow, Linaro is also working on implementing
real "secure storage" solution based on TF-A and OP-TEE.


Supported features:
* image authentication based on db and dbx
* supported signature types are
    EFI_CERT_SHA256_GUID (SHA256 digest for unsigned images)
    EFI_CERT_X509_GUID (x509 certificate for signed images)
* SecureBoot/SignatureSupport variables
* SetupMode and user mode
* variable authentication based on PK and KEK
    EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS
* pytest test cases

Unsupported features:
* hash algorithms other than SHA256
* dbt: timestamp(RFC6131)-based certificate revocation
* dbr: OS recovery 
* xxxDefault: default values for signature stores
* transition to AuditMode and DeployedMode
* recording rejected images in EFI_IMAGE_EXECUTION_INFO_TABLE
* variable authentication based on PK and KEK
    EFI_VARIABLE_ENHANCED_AUTHENTICATED_ACCESS
* real secure storage, including hardware-specific PK (Platform Key)
  installation

Known issues:
* [3] and [4] have not been well reviewed yet.
* Some test case(test_efi_var_auth1:1g) still fails.
* Extensive clean-ups
* not bisect-ready (for easier code modification) for now

TODO:
* implement "unsupported" features, in particular, timestamp-based
  revocation
* fix some workarounds in the source (marked as TODO/FIXME)
* extensive test suite (or more test cases) to confirm compatibility
  with EDK2


Hints about how to use:
(Please see other documents, or my pytest scripts, for details.)
* You can create your own certificates with openssl.
* You can sign your application with pesign (on Ubuntu).
* You can create raw data for signature database with efitools, and
  install/manage authenticated variables with "env -set -e" command
  or efitools' "UpdateVars.efi" application.


[1] https://uefi.org/sites/default/files/resources/UEFI_Spec_2_8_final.pdf
[2] https://lists.denx.de/pipermail/u-boot/2019-September/382911.html
    (support APPEND_WRITE)
[3] https://lists.denx.de/pipermail/u-boot/2019-September/382573.html
    (import x509/pkcs7 parsers from linux)
[4] https://lists.denx.de/pipermail/u-boot/2019-September/382917.html
    (extend rsa_verify() for UEFI secure boot)
[5] https://lists.denx.de/pipermail/u-boot/2019-August/382027.html
    (sandbox: fix cpu property in test.dts for pytest)
[6] https://lists.denx.de/pipermail/u-boot/2019-September/382914.html
    (extend "env [set|print] -e to manage UEFI variables v1)
[7] https://lists.denx.de/pipermail/u-boot/2019-September/383343.html
    (install FILE_SYSTEM_PROTOCOL to a whole disk)
[8] https://lists.denx.de/pipermail/u-boot/2019-September/383348.html
    (support Sandbox's "host" device)
[9] http://git.linaro.org/people/takahiro.akashi/u-boot.git/ efi/secboot
[10] https://lists.denx.de/pipermail/u-boot/2019-September/382835.html
    (non-volatile variables support)


AKASHI Takahiro (15):
  lib: charset: add u16_str<n>cmp()
  test: add tests for u16_str<n>cmp()
  include: pe.h: add image-signing-related definitions
  include: image.h: add key info to image_sign_info
  include: image.h: export hash algorithm helper functions
  secure boot: rename CONFIG_SECURE_BOOT
  efi_loader: add signature verification functions
  efi_loader: variable: support variable authentication
  efi_loader: variable: add VendorKeys and SignatureSupport variables
  efi_loader: image_loader: support image authentication
  efi_loader: initialize secure boot state
  efi_loader: add CONFIG_EFI_SECURE_BOOT
  cmd: env: provide appropriate guid for well-defined variable
  efi_loader, pytest: add UEFI secure boot tests (image)
  efi_loader, pytest: add UEFI secure boot tests (authenticated
    variables)

 Kconfig                                       |   7 +
 arch/arm/cpu/armv7/ls102xa/Kconfig            |   3 +-
 arch/arm/cpu/armv8/fsl-layerscape/Kconfig     |   3 +-
 arch/arm/mach-imx/Kconfig                     |   3 +-
 arch/powerpc/cpu/mpc85xx/Kconfig              |   3 +-
 cmd/nvedit_efi.c                              |  31 +-
 include/charset.h                             |  15 +
 include/efi_api.h                             |  47 +
 include/efi_loader.h                          |  58 +-
 include/image.h                               |  17 +-
 include/pe.h                                  |  16 +
 lib/charset.c                                 |  25 +
 lib/efi_loader/Kconfig                        |  13 +
 lib/efi_loader/Makefile                       |   1 +
 lib/efi_loader/efi_boottime.c                 |   2 +-
 lib/efi_loader/efi_image_loader.c             | 364 ++++++-
 lib/efi_loader/efi_setup.c                    |   5 +
 lib/efi_loader/efi_signature.c                | 602 ++++++++++++
 lib/efi_loader/efi_variable.c                 | 928 ++++++++++++++++--
 test/py/tests/test_efi_secboot/conftest.py    | 168 ++++
 test/py/tests/test_efi_secboot/defs.py        |   7 +
 .../py/tests/test_efi_secboot/test_authvar.py | 287 ++++++
 test/py/tests/test_efi_secboot/test_signed.py |  97 ++
 .../tests/test_efi_secboot/test_unsigned.py   | 126 +++
 test/unicode_ut.c                             |  13 +
 25 files changed, 2714 insertions(+), 127 deletions(-)
 create mode 100644 lib/efi_loader/efi_signature.c
 create mode 100644 test/py/tests/test_efi_secboot/conftest.py
 create mode 100644 test/py/tests/test_efi_secboot/defs.py
 create mode 100644 test/py/tests/test_efi_secboot/test_authvar.py
 create mode 100644 test/py/tests/test_efi_secboot/test_signed.py
 create mode 100644 test/py/tests/test_efi_secboot/test_unsigned.py

-- 
2.21.0

More information about the U-Boot mailing list